dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049

General

Target

dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
Size

160KB
MD5

93890e6894dd7ccc8f0bad1cd9775a0a
SHA1

2626f5be581ea9578eb644750b9b28d735baa92a
SHA256

dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049
SHA512

170d810d5f4a16ec6095d697e9718aade2b31582e4eaffc2c0ec8ea9e09413e277c286ea34bd30b08be73278d792b575681a993d22014c9edc1141a87824ff63
SSDEEP

3072:jofpVwLoZZVMrawVeoDrxmcRJ4Cl2w8/cF:jCpSmJw79RJ4ClsC

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
560	calc.exe
1488	notepad.exe

Loads dropped DLL 4 IoCs

pid	Process
1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32006CD338	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system320003C032	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system32calc.exe	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
File created	C:\Windows\system32notepad.exe	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 560	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	28
PID 1512 wrote to memory of 560	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	28
PID 1512 wrote to memory of 560	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	28
PID 1512 wrote to memory of 560	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	28
PID 1512 wrote to memory of 1488	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	29
PID 1512 wrote to memory of 1488	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	29
PID 1512 wrote to memory of 1488	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	29
PID 1512 wrote to memory of 1488	1512	dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe	29

C:\Users\Admin\AppData\Local\Temp\dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe
"C:\Users\Admin\AppData\Local\Temp\dbe5e4c1df40c4b6e4e0107a59824fc099abb023014666dcf06a5325c47a0049.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\calc.exe
  "C:\Users\Admin\AppData\Local\Temp\calc.exe"
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
  2⤵
  - Executes dropped EXE
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
\Users\Admin\AppData\Local\Temp\calc.exe

Filesize
112KB

MD5
e3fcb903305f8ee5551ea66f5c096737

SHA1
84c1f3baae1cc0746c7f17c255e72ecd1baf63c4

SHA256
228cd209855d76c02cd42dd14e5726b1b55598004864dc034a5943d34310feb8

SHA512
efa198c851858ed7569a714d879f8eb8d6516b71decf3aef9a2c6268d40c835ef03ec3836f41b23684c47e4fdb6e92c282075b5e2a3661408ae80866efaea9de

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
65KB

MD5
c9f225f98574759e377bce6d87958c9c

SHA1
3a23ac5865ea5ac89d87b4219646a1cee5820ac1

SHA256
7834f55bcff4d30d7b778bceea618cfd23cf4f184f7db6b74d1b49bbcf6c0560

SHA512
d9ffd8ba019cde8e7d71b6c208f2b949e271527373458fee48e461e49ff096d32361d372a48aaa84b153847dd75c79a99e23f8fa450c888aae180bb3e2dc4c1b

Download Submit
memory/1512-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing